Once a week kerberos failure between web and db server.

Fri Sep 7 09:45:10 EDT 2007

Hi,

Once a week to the second we get a Kerberos failure between our web
server and db server. This is causing us considerable problems.
Everything runs fine the rest of the week. The problem lasts from a
few seconds to a few minutes, apparently dependent on the number of
users on at the time.

The website is running IIS6 on Windows 2003 SP2. The db server is
running SQL Server 2000 SP4 on Windows 2003 SP1. The domain controller
is running Windows 2003 SP1.
We are using constrained delegation and protocol transition.

The message on the KDC/DC is (where S03 is the dc, S72 with the web
server and S10 is the db server):

Event Type:	Failure Audit
Event Source:	Security
Event Category:	Account Logon
Event ID:	673
Date:		06/09/2007
Time:		17:01:56
User:		NT AUTHORITY\SYSTEM
Computer:	S05010003
Description:
Service Ticket Request:
 	User Name:		S05010072$@CORP.DNSDOM.NET
 	User Domain:		CORP.DNSDOM.NET
 	Service Name:		MSSQLSvc/S05010010.corp.dnsdom.net:1433
 	Service ID:		-
 	Ticket Options:		0x40830000
 	Ticket Encryption Type:	-
 	Client Address:		10.1.1.88
 	Failure Code:		0xB
 	Logon GUID:		-
 	Transited Services:	-

0xB is the error code for KDC_ERR_NEVER_VALID, but I've checked the
times and timezones on the servers and there aren't any differences,
certainly not the 5 minutes necessary to cause this message.

A second after this message we get a successful ticket issued to the
account that sql server runs under:

Event Type:	Success Audit
Event Source:	Security
Event Category:	Account Logon
Event ID:	673
Date:		06/09/2007
Time:		17:01:57
User:		NT AUTHORITY\SYSTEM
Computer:	S05010003
Description:
Service Ticket Request:
 	User Name:		S05010072$@CORP.DNSDOM.NET
 	User Domain:		CORP.DNSDOM.NET
 	Service Name:		S05010010_SYSTEM
 	Service ID:		CORP\S05010010_SYSTEM
 	Ticket Options:		0x40830000
 	Ticket Encryption Type:	0x17
 	Client Address:		10.1.1.88
 	Failure Code:		-
 	Logon GUID:		{385e5858-a6e2-34c7-fa6a-c495f2edacf3}
 	Transited Services:
		HTTP/<website>.com at CORP.DNSDOM.NET

SPNs shown below:

C:\Documents and Settings\helpdesk>setspn -L s05010010_system
Registered ServicePrincipalNames for CN=XYZSystems,OU=Users\
\Groups,OU=ServiceAd
mins,DC=corp,DC=dnsdom,DC=net:
	MSSQLSvc/S05010010.corp.dnsdom.net:1433
	MSSQLSvc/S05010010:1433

C:\Documents and Settings\helpdesk>setspn -L s05010072
Registered ServicePrincipalNames for CN=S05010072,OU=Server2003,OU=PSG
Servers,D
C=corp,DC=dnsdom,DC=net:
    http/<website>.com
    http/demo.<website>.com
    http/copy.<website>.com
    HOST/S05010072.corp.dnsdom.net
    HOST/S05010072

These are the commands that were used to create the SPNs on the db
server:

setspn -a MSSQLSvc/S05010010.corp.dnsdom.net:1433 S05010010_system
setspn -a MSSQLSvc/S05010010:1433 S05010010_system

Anyone have any idea what is wrong?

Cheers,

James